Nginx Reverse Proxy IP Forwarding for Shopify?

nginx reverse-proxy

We are making an attempt to make our site more content-driven and while Shopify is a cool ecommerce platform, it's not that great when it comes to content. So we've moved our site from solely on Shopify and put WordPress on an Nginx server. On that server we have reverse proxied the store into /store on the site following this post.

All was well after I configured it, but since the traffic ramped up for the day, we've been faced with this ban message:

IP Ban message

My guess is that Shopify does not look at the forwarded IP from the client and as a result the server is being banned due to all of the traffic. Ultimately, this may just not be the workaround that we were looking for and we may need to leave Shopify altogether. Basically our store has been down all day due to this.

Can anyone confirm that this method doesn't work? Or if it's just a configuration error on my end.

Here's my location from the nginx config file:

location ~^/store/(collections|cart|products|shopify|pages|blogs|checkout|admin)/?/
{
    rewrite /store/(.*) /$1 break;
    proxy_pass https://xxxx.myshopify.com;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_redirect off;
    client_max_body_size 10m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 90;
}

I'd very much appreciate any help. Let me know if there's anything else I can provide to make this easier to answer.

Thanks!


Solution 1:

I heard back from Shopify again. They confirmed that this is an issue on their end:

Aaron here from Shopify, I'd just replied to you on Twitter! I've just heard back from our escalated support teams on this. This is happening due to a recent code addition to Shopify - there's somewhat stricter rules on what a single IP can do. Since all the traffic coming from the store shows as the same IP, the blot blocking software picks it up and blocks traffic for two minutes - but as it's ongoing that results in a constant downtime.

What our technical experts have suggested is setting it as shop.domain.com rather than domain.com/shop, that should sort it for you - if you continue to have issues, let me know and we'll move on to next steps on this for you!

Naturally, this is not a solution since SEO is part of our core strategy.

Solution 2:

This is an old post, but I thought I would share the following for anyone else who finds this question.

Another option would be to use CloudFront. Requests will then come from a range of IP addresses and potentially mitigate this problem.

Let's say you have yourstore.com, and you have blog.yourstore.com. You could set up a CloudFront distribution like so:

  • Origin: blog.yourstore.com
  • Behavior: /blog -> blog.yourstore.com
  • Behavior: /blog/* -> blog.yourstore.com
  • Behavior: Default (*) -> yourstore.myshopify.com

Note:

  • Select "Use Origin Cache Headers" for the behaviors.
  • Forward Host, Origin, and Referer headers for blog behaviors.
  • Allow "GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE" HTTP methods for blog behaviors.

blog.yourstore.com could then be hosted on an EC2 server with nginx. I recommend 301 redirecting non-CloudFront requests (e.g., Google crawler or people going to blog.yourstore.com manually) to yourstore.com/blog. You can do so via an nginx rewrite (in addition to your other nginx rules specific to hosting Wordpress) like so:

server {
  listen 80;
  server_name blog.yourstore.com;
  root /home/wordpress/www;

  listen 443 ssl;
  ssl_certificate /etc/ssl/yourstore.com.bundle.crt;
  ssl_certificate_key /etc/ssl/yourstore.com.key;

  return 301 https://yourstore.com/blog$request_uri;
}

For www.yourstore.com redirection to yourstore.com, can set up a second distribution for www.yourstore.com, point that at an S3 bucket, and configure the S3 bucket to redirect requests to yourstore.com.

Note that this setup assumes your store is at yourstore.com instead of yourstore.com/store. If you wish to use /store, you'll need to adjust things slightly.

Solution 3:

Unfortunately the answer here is probably "remove the reverse proxy".

If you really need content and shop together you'll need Shopify enhanced, either to show the content, to turn off the IP ban, or to accept forwarded-for headers.

If you can tolerate different domains you could put Wordpress on the main domain and Shopify on a subdomain, or vice versa. It's not a great solution, but it's the easiest.

With a bit of luck someone else will come along with a better solution.

Related

In a nginx configuration file, how to define a fastcgi_param that contains the "$" sign?
SNI like equivalent for starttls
Active Directory LDAP_MATCHING_RULE_IN_CHAIN returns no records after OU move
Servers suddenly unable to make new connections; seems like ephemeral port exhaustion
How to trigger a custom error from inside a Jinja template?
Error when installing NFS service on Windows 2016
yum install local rpm throws error if up to date
HAproxy: Run script on health check change
How to configure firewall on user defined Docker bridge?
Storage Spaces: Optimize-Volume taking days
Error: bad command `​nospoof on' in /etc/host.conf file
Google Cloud Platform - SSH Connection Refused